Jimmy's weblog

11/10/2011

Upgrading Samba from plaintext passwords to encrypted passwords

Filed under: — jimmy @ 5:23 pm

Recently I had to upgrade a samba installation which was using plaintext passwords. This is not as rare as one might think because some companies couldn’t upgrade from win95 PCs as those were coupled to machines which didn’t support newer versions. For plaintext passwords samba uses /etc/passwd and /etc/shadow to find out usernames and passwords. With encrypted passwords samba uses its own database with the tdbsam backend. There was also a smbpasswd backend which is now deprecated. But it’s very handy if you want to upgrade to encrypted passwords without having every user to enter her password again to fill the new database. There is the global option “update encrypted = yes” which replaces a plaintext password with an encrypted one when the user logs in. The plaintext password is written to the smbpasswd file defined in smb.conf (This does not work with the tdbsam backend but you can migrate from smbpasswd to tdbsam easily afterwards). So before we let the users login again we have to generate a smbpasswd file. One way to achive this is to run this command:

cat /etc/passwd | mksmbpasswd >> /etc/samba/smbpasswd

(assuming that “passdb backend = smbpasswd:/etc/samba/smbpasswd” is in your smb.conf)
After all users have logged in (check smbpasswd file for filled in passwords) you can disable plaintext auth.

Watch out for bug in WinXP SP3 with plaintext auth!
When I made this migration it happened that this procedure was working great for some clients where others completely failed to login. I found out that Win7 clients and WinXP clients with SP2 worked, but WinXP clients with SP3 were failing. The reason is simply a bug caused by patch KB2536276. You can find the full story in bugzilla of samba: Windows security patch KB2536276 prevents access to shares
In my case I was lost and had to ask the users to type in their passwords again but there seems to be a workaround if you read the last comments in the bugreport (changing domain name)

5/5/2005

E-Banking with “a.sign Signaturkarte (Bankomatkarte)”

Filed under: — jimmy @ 9:22 pm

cyberjack cardreader

Finally I managed to use my “Bankomatkarte” to login at my bank’s e-banking site. I’ve tested it on two machines, one running kernel 2.6.9, the other one running 2.4.27. The cardreader is a “Cyberjack pinpad”. Both kernels had a module called cyberjack to handle the cardreader (USB). Only a few steps are necessary to install all necessary software:

  • Compile and install the kernel module (cyberjack, located in USB-serial drivers)
  • Install ctapi (can be found on the CD that comes with the reader
  • Plug in the reader to the usb port and insert your card
  • Test ctapi by executing “cjgeldkarte”
  • Open your e-banking site and test the login

Unfortunately it didn’t work under 2.6.9. I always had problems with permissions, it only worked for root. I have to test other 2.6.x kernels to find out if the problem is kernel-related.

3/21/2005

Accessing mysql through ssh tunnel

Filed under: — jimmy @ 8:42 pm

Usually the mysql server is configured not to allow network connections. Recently I had to find a way to allow connections over the internet, even the root account should be able to connect. I decided to use a ssh tunnel and configured the mysql daemon to listen on 127.0.0.1. Additionally the mysql port (3306) is blocked by the packetfilter.
Thus I had to add the “bind-address” option to /etc/mysql/my.cnf:

[mysqld]
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
bind-address    = 127.0.0.1

Furthermore I had to comment out “skip-networking”:

# skip-networking

Otherwise mysqld would only work with sockets and not with TCP/IP connections.

To start the ssh tunnel run:

ssh -N -L 3306:localhost:3306 jimmy@mysql_host.com

Now connect to mysql with:

mysql -h 127.0.0.1

Use 127.0.0.1, not localhost, when connecting to the server. Otherwise the mysql-client will try to connect to localhost, without using the tunnel.

11/1/2004

Orinoco drivers and monitor mode

Filed under: — jimmy @ 1:32 pm

When testing security of wireless networks, you need to set your wireless card into monitor mode to capture packets. It works out of the box with linux-wlan-ng drivers, but it you want to use the orinoco driver which in included in the official kernel source, you are out of luck. It doesn’t support the monitor mode, but you can patch the orinoco source to get back the monitor mode.
First, download the patch (The patch is for version 0.13e which is included in the latest 2.6.x kernels).
Next, patch the kernel source:

devil:~# cd /usr/src/linux/drivers/net/wireless/
devil:/usr/src/linux/drivers/net/wireless# patch -p1 < monitor-0.13e.patch

Now recompile your kernel. In my case the drivers are compiled as modules, so I only had to run

devil:/usr/src/linux/drivers/net/wireless# cd /usr/src/linux/                     
devil:/usr/src/linux# make modules && make modules_install

iwpriv should now list the monitor mode.